Webhook signing secrets can be used to verify that incoming requests genuinely originate from our systems and haven’t been tampered with. These secrets are available in the Svix Portal, accessible via the Webhooks page in your dashboard. Sohar webhooks use Svix for secure message delivery. To verify the authenticity of these webhooks, you must:
  • Use the provided webhook secret.
  • Extract and process the svix-id, svix-timestamp, and svix-signature headers.
  • Use the raw body of the request to compute the HMAC signature.
1

Install the Svix SDK

This is a JavaScript example. Other language examples are available in the Svix documentation.
npm install svix
2

Use the Webhook Verifier

import { Webhook } from 'svix';

const secret = process.env.WEBHOOK_SECRET; // Replace with your actual webhook secret

// Headers received from the webhook
const headers = {
  'svix-id': 'msg_bNaGN5s2IJgP0aeHcgjlmOzh',
  'svix-timestamp': '1750612550',
  'svix-signature': 'v1,cIoc4hu+u+C4V8o72ynm2z4tNBzu+5tcNvGyc4ELnUY=',
};

const payload = '{"status": "complete"}'; // Raw request body

const wh = new Webhook(secret);

// Throws an error if verification fails
wh.verify(payload, headers);
Always use the raw request body when verifying webhooks, as even minor changes can invalidate the cryptographic signature. Be cautious with frameworks that automatically parse and re-serialize JSON bodies - this transformation can alter the payload and cause signature verification to fail.